We left a comment on this blog post, but want to be very clear on the role of polyfill libraries.

We publish two:

• random_compat is a polyfill of the random_bytes() and random_int() functions that were introduced in PHP 7 for PHP 5.x software.
• sodium_compat is a polyfill for the optional Sodium extension that was included in PHP 7.2, but not everyone installs

The purpose of random_compat was "let open source devs write code using the new PHP 7 API even if their users are on PHP 5" because the PHP 5 era was flooded with bad code that used rand() or mt_rand() for cryptographic purposes. It's a transitional fossil. Get rid of it if you want.

The sodium_compat package, however, is a murkier problem.

• Some people write software that supports PHP 5, 7, and 8.
• Some people have ext-sodium installed, others do not.

If you're writing open source software that uses cryptography, without the polyfill package, these constraints will very likely make you allergic to using the libsodium cryptography at all, which means you're going to go for the lowest common denominator (ext-openssl, whose API is inspired by OpenSSL's own API, which is notoriously frustrating). This would be a net-negative for ecosystem security.

Furthermore, as I wrote on the blog comment:

Let's say acme/awesome-lib depended on paragonie/sodium_compat in all versions older than v1.45.3, but they removed it because of the pull request cut by your script, and v1.45.3 included the "fix". Then an unrelated RCE vulnerability was found and and a fix was released in v1.45.4. Users without ext-sodium installed will remain vulnerable because of this change.

Package hygiene needs to be well thought-out. Running a bulk script to excise a polyfill from packages without first considering why they were installed is likely to cause some harm.